Cryptomining has become a gold rush of nowadays, and cybercriminals are also seized by it. They invent more and more cunning gimmicks to infect users’ machines and make them mine cryptocurrency for the attackers’ profit. The cybercrime recently detected by Comodo specialists is a striking illustration of this process. To infect users all over the world, the attackers used the legitimate application installer, the replicated server and… well, let’s not jump ahead but come through all the attack chain from the beginning to the end.
Here is PDFescape software. Many people use it to edit, annotate or fill forms in .PDF files. It’s highly likely you also used this or a similar software.
Of course, it’s legitimate and secure … at least it was so till the recent time when an idea to use it for spreading malware came to a cybercriminal’s mind.
But what is especially interesting, the malicious hackers didn’t try just to mimic PDFescape. They went further and decided to create its evil clone.
Just think of the attack’s scope: the perpetrators recreated the software partner’s infrastructure on a server under their control. Then they copied all MSI (installer package file for Windows) files and placed them on that server. The cloned software was the exact replica of the original one … except one small detail: the attackers decompiled and modified one of MSI files, an Asian font’s pack. And added the malicious payload containing some coinmining code.
This black magic turns original installer of PDFescape into a malicious one.
This modified installer redirects users to the malicious website and downloads the payload with the hidden file.
As you can see, the hacked installer has not original digital signature:
But how exactly this malware harm? Let’s see.
When a victim downloads this pdfescape-desktop-Asian-and-extended-font-pack, the malicious binary xbox-service.exe drops in Windows system32 folder and executes the malicious DLL, using run32dll. Disguising as setup.log, the malicious DLL hides in Windows folder.
Here is the process flow.
The pdfescape-desktop-Asian-and-extended-font-pack.msi is installed by the com
mand line “C:\\Windows\System32\msiexec.exe” /i
Then the installer drops xbox-service.exe in the system32 folder.
The dropped xbox-service.exe starts working as a service:
Then it runs malicious DLL under rundll32 by the name setup.log using the command line:
The modified MSI has embedded malicious DLL file. This DLL, in its turn, contains two executable files in the Resources.
Thus, the DLL file runs malicious process xbox-service.exe.
Another interesting aspect of the DLL payload is that during the installation stage, it tries to modify the Windows HOSTS file to prevent the infected machine from communication with update servers of various PDF-related apps and security software. Thus malware tries to avoid a remote cleaning and remediation of affected machines.
The HOSTS file modified with malicious DLL
And finally, inside the DLL we found the main evil: malicious browser script. The script has an embedded link to http://carma666.byethost12.com/32.html
Let’s follow the link and see where it goes:
So all that fuss was to infect users with a cryptominer?! Yes, that’s right. And it helps us to aware that we shouldn’t take this kind of malware lightly.
“As we mentioned in Comodo Q1 2018 and Q2 2018 Global Threat Reports, cryptominers remain one of the most dangerous threats in the cybersecurity space”, comments Fatih Orhan, The Head of Comodo Threat Research Labs.” Some people consider the cryptominers as a not-so-serious threat because they do not steal information or encrypt users’ files but this mistake can be very costly for them in the reality. Cryptominers are turning into sophisticated malware that can crash users systems or capture all the IT resources of an infected enterprise and make them work only for mining cryptocurrency for cybercriminals. Thus, financial losses from a cryptominer attack can be as devastating as of other malware types. Cryptominers will continue to become more and more devious with their dangerous abilities growing. And the story with modified installer detected by our analysts is a clear evidence of it”.
According to the Comodo stats, this malicious file hit 12 810 users in 100 countries around the world. Below are the top-ten affected countries.
Live secure with Comodo!